The CUI Program and this guide serve to implement Executive Order 13556, 32 CFR 2002, and the duties of the Information Security Oversight Office (ISOO). They offer agencies guidelines on marking, safeguarding, disclosing, sharing, and disposing of information that does not qualify as classified but requires dissemination controls.
Agencies and contractors must abide by consistent rules when handling non-classified sensitive information or face the possibility of ISOO enforcement action. This standardization brings consistency and clarity when handling non-classified sensitive data.
The purpose of the registry is to establish a common framework for safeguarding unclassified information.
Isoo CUI Registry is designed to assist agencies in streamlining data management and collaboration while meeting federal security requirements. This helps reduce risks of unauthorized disclosure, improves system error identification and correction capabilities, and protects sensitive data from malicious activities. CUI policies also minimize national security threats while enhancing agency operations efficiency.
The CUI Registry is a central repository that defines which information requires safeguarding or dissemination controls under federal regulations or government-wide policies, both information already classified or unclassified and newly identified for protection under the CUI Program. It is managed by OMB and published online via National Archives and Records Administration – its regulations can be found at 32 CFR 2002.
Information to qualify as CUI must meet one or more of the following criteria:
1) They must be protected under the authority of an executive order, law, or policy document.
2) Additional safeguarding or dissemination controls must be implemented according to an executive order, law, policy statement, or the CUI Program.
3) Each container must be marked with a “CUI” banner and indicator as detailed in the CUI Marking Guide.
As well as mandating specific markings, CUI guidelines specify minimum physical and procedural safeguarding requirements to protect CUI. These include requiring that CUI be stored in a secured environment that is segregated from other information and only accessible by authorized holders; electronic communication must be password-protected on an encrypted system or network, with CUI indicators visible upon logging in or via an alert that pops up upon login; warnings should also be displayed during login screens or screen that pop up post logging-in as well as headers which appear before every printed output page.
CUI must always be stored or transmitted in an encrypted format to protect it from being read or understood by unintended third parties. Agencies must also follow specific procedures when transporting CUI, including protecting its transport containers against theft and leaving them unattended. Agencies can use various means, such as portable storage devices and hoteling systems which isolate authorized holder workstations from those of nonauthorized employees to meet this requirement.
Before any controlled unclassified information (CUI) can be disseminated, it must first be appropriately marked by its originator and authorized holders. Authorized holders must also complete necessary CUI training and receive authorization from their senior agency official before handling or designating information as CUI. When disseminating CUI, authorized holders should review their agency’s CUI policy to ascertain if any limitations or restrictions should apply before publishing it.
As previously discussed, when an authorized holder wishes to share CUI with non-executive branch entities they must enter into agreements or arrangements that adhere to the principles and purposes of the CUI Program. For instance, prepublication review and security policy review must follow standard DoD processes; similarly, disposing of record copies must adhere to their appropriate disposal procedure.
The purpose of the registry is to provide a common framework for safeguarding unclassified information.
The ISOO CUI Registry creates a standard framework for safeguarding unclassified information subject to government-wide controls (access, handling, marking, and dissemination). The Registry promotes transparency with the public by clearly outlining categories and subcategories of sensitive data that need protection; furthermore, it helps ensure federal agencies take a consistent approach in classifying this sensitive data to comply with laws, regulations, and government-wide policies.
The CUI Rule affects all Federal executive branch departments and agencies as well as contractors, vendors, and organizations handling Federal information on behalf of an agency. It establishes rules for designating, disseminating, safeguarding, disposing, and disposing of CUI, self-inspection, and oversight requirements. Furthermore, agencies must use a uniform approach to protect sensitive data across their offices, facilities systems, and procedures.
CUI rules provide a uniform framework for classifying information that needs protecting and specific guidance on how to label documents, emails, and electronic storage devices accordingly. Documents or files containing CUI must be identified using either a banner label at the top of each document or by including an indicator in their title bar or filename stating they have CUI. The CUI rule permits agencies to utilize additional administrative markings such as Pre-decisional, Draft, or Deliberative to provide more context about sensitive information. While these supplemental markings don’t impose additional safeguarding or dissemination controls, they can still be displayed prominently on document watermarks and banner labels for added context.
Electronic systems that store CUI must display its specific identifier and associated security controls. This includes email systems, web servers, file storage and archiving systems, and video telepresence systems. It’s creator or authorized holder should review documents containing CUI to ensure it satisfies safeguarding and dissemination criteria before being forwarded to another individual or organization.
Authorized holders must ensure that those participating in meetings or discussions where CUI is shared legal purposes for sharing it, including whether each person is allowed to receive it and document this process.
Once documents no longer require being destroyed, they must be destroyed according to the CUI rule. When doing so, their methods of destruction should make all information indecipherable, unreadable, and irrecoverable – although agencies may employ less expensive approaches than required by classified information destruction regulations – all documents containing CUI must still be identified accordingly.
Few commenters have voiced concerns regarding the new rule’s impact on federal agencies’ ability to work with their partners and contractors and the costs associated with using specialized equipment for shredding CUI paper records. Their concern stems from misinterpreting its mandate for standard methods that do not exceed those required to destroy classified information.
